If you watched the season premiere of Mr. Robot, then you saw the hellish havoc fsociety visited upon the smart home of E Corp’s general counsel. She had no control over the internet-connected alarm system, lights, thermostat, stereo, TV or even the temperature of water during a shower.

Most folks don’t have an entire smart home, yet they may have some smart devices. If you had maybe a half-dozen or more Internet of Things (IoT) gadgets and they all started going off, and you couldn’t regain control, you’d likely realize your “smart” house was being hacked, but maybe not understand how.

While we’ve heard endlessly about the lack of good security being built into IoT devices, researchers wanted to show “real, not hypothetical” attacks which would prove that home routers and firewalls do not protect “smart” devices from internet attacks. The research paper “Smartphones attacking smart homes” was presented at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2016).

First, the researchers explained why some people believe a router keeps IoT devices “safe” from outside attackers. From outside your home network, an attacker can’t see your smart lightbulbs, webcams, motion detectors, power switches, photo frames, etc. But if a hacker knew you had them and an external attacker wanted to hack your Phillips Hue lightbulb or Belkin WeMo power-switch, the packets sent would go to the home gateway; the gateway would not know which of the IoT devices, each with their own private IP address, to send the packets, so the unsolicited traffic would be dropped.

The researchers said, the “‘firewall’ feature, a side-effect of network address translation (NAT) between the public and private IP addresses, protects IoT devices in the home from direct internet attacks.”

But before you go feeling too secure, the researchers warned, “NAT/firewall protection is somewhat illusory, and can be easily penetrated by malware on users’ smartphones.” In fact, they called the over-reliance on home routers to protect smart devices to be “dangerous.”

For starters, researchers Vijay Sivaraman, Dominic Chan and Dylan Earl from the University of New South Wales and Roksana Boreli from National ICT Australia chose to get their maliciously tainted app into Apple’s AppStore, since getting malware into a Google Play Android app is too easy. They took a legitimate app from the AppStore, tweaked it to include malware, and then got their proof-of-concept iOS app approved even though Apple has a more stringent approval process than Google.

The tainted app discovers IoT devices inside a person’s home, inside their network, although the average user would have no clue this was happening; the reconnaissance of scouting for IoT devices in the home could not have been done from outside the home network. It would give an attacker the IoT “landscape” inside the home, so he or she could decide how best to attack a victim.

The app uses Universal Plug-n-Play (UPnP) to modify firewall settings, to reconfigure routers, and opens ports to IoT devices so an external attacker could access those devices. In case you didn’t know, most home routers support automatic port-mapping via UPnP by default for things like P2P sharing and video calling. But that feature is also a flaw as it is what makes the researchers’ “attack vector a serious security threat for IoT devices.” The smart devices are then exposed to the Internet so an outside attacker can take control of the smart home.

Once a hacker is done, then “the malware can restore firewall configuration to remove trace of the attack, or keep it open for future attacks.”

They used their iOS app, which they did take down after testing on the project team’s homes, “to discover several IoT devices in multiple homes,” and “to surreptitiously modify firewall configuration on home gateways from multiple vendors.”

Don’t think those are the only vulnerable devices since they added that there is a wide range of IoT devices which could be exploited after the smartphone app infiltrates a smart home.

Sure there are some security extensions to the UPnP protocol, but the researchers seriously doubt home router manufacturers will implement them; non-techie users would freak out if they had to manually configure access before running P2P apps, game servers or make video calls.

If a hacker were able to release a malware-laden smartphone app, which could circumvent a home router’s firewall protection, into a “trusted” app store – clearly it can be done since the researchers did so, then the researchers warned:

An attacker can use such malware to build a database of household IoT devices, while also creating port-mappings on the home routers in readiness for a future attack. An attacker can thus launch a large-scale attack against these households at a time of their choosing, or worse yet, offer this as a service to other malicious entities. In some ways this parallels the large-scale DDoS attacks prevalent today (such as the DD4BC extortion scheme) that abuse the SSDP, DNS, and NTP protocols to amplify attacks on victims, with significant economic costs.

If you keep up with IoT hacking news, then none of this will shock you, but it is an important reminder of how easily anyone with “smart” devices could be hacked and lose control just like the large-scale smart home attack portrayed on Mr. Robot.